What Is Sql Injection?

VULNERABILITY DEC ER SQL INJECTION

SQL injection (SQLi) is a high-severity vulnerability. Attackers can exploit SQLi vulnerabilities to access or delete data from the database and do other undesirable things.

WHAT IS SQL INJECTION?

A SQL query is one SQL injection occurs An attacker can use way an application when an application fails specially-crafted SQL talks to the database. to sanitize untrusted data commands to trick the (such as data in web form application into asking ﬁelds) in a database query. the database to execute unexpected commands.

32%

One-third of web applications have at least one SQL injection vulnerability, according to Veracode’s State of Software Security Report.

ATTACKERS CAN EXPLOIT SQL INJECTION VULNERABILITIES TO:

USER_01_ Control an application’s data-driven behavior. ????????? For example, tricking an application into allowing a login SIGN IN without a valid password.

Alter data in the database without authorization. For example, creating fraudulent records, adding users or promoting users to higher access levels, or deleting data. ADD USERS

Access data without authorization. ? For example, tricking the database into providing too many results for a query.

ANATOMY OF A SQL INJECTION ATTACK

A SQL query includes an argument, which tells the database to return only the desired records. The value for that argument can be provided by a user (in a form ﬁeld, URL parameter, web cookie, etc.).

A SQL INJECTION ATTACK HAS TWO STAGES:

Reconnaissance Attacker tries submitting various unexpected values for the argument and observes how the application responds. STAGE 1 INJECTION ATTACK Attack Attacker provides a carefully-crafted input value that will be interpreted 2 as part of a SQL command rather INJECTION ATTACK STAGE than merely data; the database then executes the SQL command as modiﬁed by the attacker.

ATTACKER Automation Reconnaissance and attack stages can be automated by readily-available tools.

THE RISK: DATA LEAKAGE

Some very large and devastating data breaches have been the result of SQL injection attacks. Here are a few recent examples and their consequences.

MOSSACK FONSECA

WHAT HOW RESULT “The Panama Papers” — Attacker may have Many of the world’s 11.5 million files and 2.6 TB exploited a customer rich and powerful are of secret data — stolen web portal running a implicated in tax from Panamanian law firm version of Drupal with avoidance schemes. and leaked to world media. a SQL injection flaw.

WORLD ANTI-DOPING AGENCY (WADA)

WHAT HOW RESULT International anti- In a two-pronged American athletes doping group targeted attack, attackers used SQL exposed for taking by Russia-linked injection to steal email banned substances espionage group. addresses and passwords for approved from WADA’s servers, medical reasons. then used spearphishing to steal sta credentials to a system containing private medical records.

PHILIPPINES COMMISSION ON ELECTIONS (COMELEC)

VOTE

WHAT HOW RESULT Personal information Hackers aliated with Leaked data included on every registered voter the Anonymous hacktivist detailed biometric and in the Philippines — group used SQL injection statistical information 55 million people — to query data from a that could be used for leaked online. MySQL database. impersonation and fraud.

QATAR NATIONAL BANK

WHAT HOW RESULT 1.4 GB-worth of Hackers used the Criminals attempted information leaked on sqlmap pen-testing to use leaked credentials members of Qatari royal tool to steal data to access bank and family, government and from the Oracle social media accounts. military ocials and back-end database. prominent journalists.

SAMPLE SQL INJECTION: BREAKING THE BANK

The following hypothetical example shows how a SQL injection vulnerability could be exploited by an attacker to access all bank account numbers and balances from a database.

LOOKING UP AN ACCOUNT BALANCE

When you access your bank account online, the database query might look like this (in Java):

String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = " + request.getParameter("user_id");

try { Statement statement = connection.createStatement(); ResultSet rs = statement.executeQuery(accountBalanceQuery); while (rs.next()) { page.addTableRow(rs.getInt("accountNumber"), rs.getFloat("balance")); } } catch (SQLException e) { ... }

EXAMPLE QUERY:

If you have the user ID 984, when you’re logged in you might visit the URL: bankingwebsite/show_balances?user_id=984

The accountBalanceQuery passed to the database would end up being:

SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 984

RESULT: The database returns any account numbers and balances for user ID 984.

SQL INJECTION ATTACK ON THE BANK WEBSITE

The attacker could change the parameter “user_id” to be interpreted as:

0 OR 1=1

And this results in accountBalanceQuery being:

SELECT accountNumber, balance FROM accounts WHERE account_owner_id = 0 OR 1=1

Because 1=1 in all cases, when this query is passed to the database, it will return all the account numbers and balances it has stored.

RESULT: The attacker now knows every user’s account numbers and balances.

HOW TO REPAIR THE VULNERABLE CODE

A developer could easily repair this vulnerability by using a prepared statement to create a parameterized query as below:

String accountBalanceQuery = "SELECT accountNumber, balance FROM accounts WHERE account_owner_id = ?";

try { PreparedStatement statement = connection.prepareStatement(accountBalanceQuery); statement.setInt(1, request.getParameter("user_id")); ResultSet rs = statement.executeQuery(); while (rs.next()) { page.addTableRow(rs.getInt("accountNumber"), rs.getFloat("balance")); } } catch (SQLException e) { ... }

RESULT: If an attacker attempts to supply a value that’s not a simple integer, then statement.setInt() will throw a SQLException error rather than permitting the query to complete.

PREVENTING SQL INJECTION ATTACKS

SQL injection is a common but avoidable vulnerability. Developers can follow these best practices to avoid SQLi vulnerabilities and limit the damage they can cause.

Discover 1 Discover SQLi vulnerabilities by routinely testing your applications using both static and dynamic testing.

Repair 2 Avoid and repair SQLi vulnerabilities by using parameterized queries.

These types of queries specify placeholders for parameters, so the database treats them as data rather than part of a SQL command.

Prepared statements and object-relational mappers (ORMs) make this easy for developers.

Remediate 3 Remediate SQLi vulnerabilities by escaping inputs before adding them to the query.

Use this technique only where prepared statements are unavailable.

Mitigate 4 Mitigate the impact of SQLi vulnerabilities by enforcing least privilege for accessing the database.

SMART DEVELOPERS, SECURE DEVELOPMENT

See how to build security into every stage of your software development lifecycle.

Five Principles for Securing DevOps DOWNLOAD THE FREE GUIDE AT VERACODE.COM/DEVOPS5

Sources

Mossack Fonseca: “The security flaws at the heart of the Panama COMELEC: “When a nation is hacked: Understanding the ginormous Papers,” Wired, April 6, 2016, www.wired.co.uk/article/panama- Philippines data breach,” Troy Hunt, April 13, 2016, www.troyhunt.com papers-mossack-fonseca-website-security-problems. /when-nation-is-hacked-understanding/, “Int’l web security expert slams Comelec…,” GMA News, April 22, 2016, www.gmanetwork.com WADA: “WADA confirms attack by Russian cyber-espionage group,” /news/story/563633/scitech/technology/int-l-web-security- WADA, September 13, 2016, www.wada-ama.org/en/ expert-slams-comelec-for-slow-acknowledgment-of-data-hack. media/news/2016-09/wada-confirms-attack-by-russian- cyber-espionage-group; “World Anti-Doping Agency site hacked, Qatar National Bank: “Qatar National Bank leak: Security experts hint thousands of accounts leaked,” Hackread, August 12, 2016, 'SQL injection' used in database hack,” International Business Times, www.hackread.com/world-anti-doping-agency-site-hacked/. April 27, 2016, www.ibtimes.co.uk/qatar-national-bank-leak- security-experts-hint-sql-injection-used-database-hack-1557069.

LEARN MORE AT VERACODE.COM